
rule BlackListStrings
{
    meta:
        description = "Blacklist strings found"
        
    strings:
		$extension1=".arj"
		$extension2=".bat"
		$extension3=".cer"
		$extension4=".chm"
		$extension5=".cmd"
		$extension6=".com"
		$extension7=".dat"
		$extension8=".docx"
		$extension9=".docm"
		$extension10=".doc"
		$extension11=".exe"
		$extension12=".gzip"
		$extension13=".hpp"
		$extension14=".htm"
		$extension15=".lzh"
		$extension16=".nls"
		$extension17=".html"
		$extension18=".key"
		$extension19=".php"
		$extension20=".pkxm"
		$extension21=".ppt"
		$extension22=".pps"
		$extension23=".pdf"
		$extension24=".pst"
		$extension25=".rtf"
		$extension26=".rar"
		$extension27=".sql"
		$extension28=".txt"
		$extension29=".text"
		$extension30=".vbs"
		$extension31=".ws"
		$extension32=".xls"
		$extension33=".xlsm"
		$extension34=".xlsx"
		$extension35=".xlc"
		$extension36=".xlk"
		$extension37=".xlw"
		$extension38=".zip"
		$folder1="%ALLUSERPROFILE%"
		$folder2="%APPDATA%"
		$folder3="commonappdata"
		$folder4="%CommonProgramFiles%"
		$folder5="%HOMEPATH%"
		$folder6="%LOCALAPPDATA%"
		$folder7="%ProgramData%"
		$folder8="%ProgramFiles%"
		$folder9="%PUBLIC%"
		$folder10="%SystemDrive%"
		$folder11="%SystemRoot%"
		$folder12="%TEMP%"
		$folder13="%USERPROFILE%"
		$folder14="%windows%"
		$folder15="%windir%"
		$folder16="%system%"
		$folder17="%temp%"
		$folder18="%user%"
		$folder19="%programfiles%"
		$guid1="27C3B8ED-0790-42BD-9AD7-18465E7F7696"
		$guid2="27C3B8ED-0790-42BD-9AD7-18465E7F7696"
		$guid3="27C3B8ED-0790-42BD-9AD7-18465E7F7696"
		$guid4="97808F6C-4769-49D5-9553-18AE9C62ACD7"
		$guid5="B196B286-BAB4-101A-B69C-00AA00341D07"
		$guid6="D27CDB6E-AE6D-11CF-96B8-444553540000"
		$guid7="abe2869f-9b47-4cd9-a358-c22904dba7f7"
		$guid8="00000000-0000-0000-C000-000000000046"
		$guid9="ADB880A6-D8FF-11CF-9377-00AA003B7A11"
		$guid10="5e7e8100-9138-11d1-945a-00c04fc308ff"
		$guid11="82bd0e67-9fea-4748-8672-d5efe5b779b0"
		$guid12="5e7e8100-9138-11d1-945a-00c04fc308ff"
		$guid13="82BD0E67-9FEA-4748-8672-D5EFE5B779B0"
		$guid14="8856F961-340A-11D0-A96B-00C04FD705A2"
		$knownFolder1="{008ca0b1-55b4-4c56-b8a8-4de4b299d3be}"
		$knownFolder2="{de61d971-5ebc-4f02-a3a9-6c82895e5c04}"
		$knownFolder3="{724EF170-A42D-4FEF-9F26-B60E846FBA4F}"
		$knownFolder4="{A3918781-E5F2-4890-B3D9-A7E54332328C}"
		$knownFolder5="{1e87508d-89c2-42f0-8a7e-645a0f50ca58}"
		$knownFolder6="{a305ce99-f527-492b-8b1a-7e76fa98d6e4}"
		$knownFolder7="{AB5FB87B-7CE2-4F83-915D-550846C9537B}"
		$knownFolder8="{9E52AB10-F80D-49DF-ACB8-4330F5687855}"
		$knownFolder9="{df7266ac-9274-4867-8d55-3bd661de872d}"
		$knownFolder10="{D0384E7D-BAC3-4797-8F14-CBA229B392B5}"
		$knownFolder11="{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}"
		$knownFolder12="{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}"
		$knownFolder13="{A4115719-D62E-491D-AA7C-E74B8BE3B067}"
		$knownFolder14="{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}"
		$knownFolder15="{B94237E7-57AC-4347-9151-B08C6C32D1F7}"
		$knownFolder16="{0AC0837C-BBF8-452A-850D-79D08E667CA7}"
		$knownFolder17="{4bfefb45-347d-4006-a5be-ac0cb0567192}"
		$knownFolder18="{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}"
		$knownFolder19="{56784854-C6CB-462b-8169-88E350ACB882}"
		$knownFolder20="{82A74AEB-AEB4-465C-A014-D097EE346D63}"
		$knownFolder21="{2B0F765D-C0E9-4171-908E-08A611B84FF6}"
		$knownFolder22="{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"
		$knownFolder23="{5CE4A5E9-E4EB-479D-B89F-130C02886155}"
		$knownFolder24="{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
		$knownFolder25="{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}"
		$knownFolder26="{374DE290-123F-4565-9164-39C4925E467B}"
		$knownFolder27="{1777F761-68AD-4D8A-87BD-30B759FA33DD}"
		$knownFolder28="{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}"
		$knownFolder29="{CAC52C1A-B53D-4edc-92D7-6B2E8AC19434}"
		$knownFolder30="{054FAE61-4DD8-4787-80B6-090220C4B700}"
		$knownFolder31="{D9DC8A3B-B784-432E-A781-5A1130A75963}"
		$knownFolder32="{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}"
		$knownFolder33="{9B74B6A3-0DFD-4f11-9E78-5F7800F2E772}"
		$knownFolder34="{BCB5256F-79F6-4CEE-B725-DC34E402FD46}"
		$knownFolder35="{352481E8-33BE-4251-BA85-6007CAEDCF9D}"
		$knownFolder36="{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}"
		$knownFolder37="{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"
		$knownFolder38="{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}"
		$knownFolder39="{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}"
		$knownFolder40="{A520A1A4-1780-4FF6-BD18-167343C5AF16}"
		$knownFolder41="{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}"
		$knownFolder42="{4BD8D571-6D19-48D3-BE97-422220080E43}"
		$knownFolder43="{2112AB0A-C86A-4FFE-A368-0DE96E47012E}"
		$knownFolder44="{C5ABBF53-E17F-4121-8900-86626FC2C973}"
		$knownFolder45="{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}"
		$knownFolder46="{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}"
		$knownFolder47="{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}"
		$knownFolder48="{A990AE9F-A03B-4E80-94BC-9912D7504104}"
		$knownFolder49="{33E28130-4E1E-4676-835A-98395C3BC3BB}"
		$knownFolder50="{DE92C1C7-837F-4F69-A3BB-86E631204A23}"
		$knownFolder51="{76FC4E2D-D6AD-4519-A663-37BD56068185}"
		$knownFolder52="{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}"
		$knownFolder53="{5E6C858F-0E22-4760-9AFE-EA3317B67173}"
		$knownFolder54="{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}"
		$knownFolder55="{905e63b6-c1bf-494e-b29c-65b732d3d21a}"
		$knownFolder56="{6D809377-6AF0-444b-8957-A3773F02200E}"
		$knownFolder57="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}"
		$knownFolder58="{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}"
		$knownFolder59="{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}"
		$knownFolder60="{DE974D24-D9C6-4D3E-BF91-F4455120B917}"
		$knownFolder61="{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}"
		$knownFolder62="{DFDF76A2-C82A-4D63-906A-5644AC457385}"
		$knownFolder63="{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}"
		$knownFolder64="{ED4824AF-DCE4-45A8-81E2-FC7965083634}"
		$knownFolder65="{3D644C9B-1FB8-4f30-9B45-F670235F79C0}"
		$knownFolder66="{DEBF2536-E1A8-4c59-B6A2-414586476AEA}"
		$knownFolder67="{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}"
		$knownFolder68="{3214FAB5-9757-4298-BB61-92A9DEAA44FF}"
		$knownFolder69="{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}"
		$knownFolder70="{E555AB60-153B-4D17-9F04-A5FE99FC15EC}"
		$knownFolder71="{0482af6c-08f1-4c34-8c90-e17ec98b1e17}"
		$knownFolder72="{2400183A-6185-49FB-A2D8-4A392A602BA3}"
		$knownFolder73="{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}"
		$knownFolder74="{AE50C081-EBD2-438A-8655-8A092E34987A}"
		$knownFolder75="{1A6FDBA2-F42D-4358-A798-B74D745926C5}"
		$knownFolder76="{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}"
		$knownFolder77="{8AD10C31-2ADB-4296-A8F7-E4701232C972}"
		$knownFolder78="{C870044B-F49E-4126-A9C3-B52A1FF411E8}"
		$knownFolder79="{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}"
		$knownFolder80="{AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E}"
		$knownFolder81="{00BCFC5A-ED94-4e48-96A1-3F6217F21990}"
		$knownFolder82="{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}"
		$knownFolder83="{C4900540-2379-4C75-844B-64E6FAF8716B}"
		$knownFolder84="{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}"
		$knownFolder85="{859EAD94-2E85-48AD-A71A-0969CB56A6CD}"
		$knownFolder86="{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}"
		$knownFolder87="{7d1d3a04-debb-4115-95cf-2f29da2920da}"
		$knownFolder88="{b7bede81-df94-4682-a7d8-57a52620b86f}"
		$knownFolder89="{ee32e446-31ca-4aba-814f-a5ebd2fd6d5e}"
		$knownFolder90="{0D4C3DB6-03A3-462F-A0E6-08924C41B5D4}"
		$knownFolder91="{190337d1-b8ca-4121-a639-6d472d16972a}"
		$knownFolder92="{98ec0e18-2098-4d44-8644-66979315a281}"
		$knownFolder93="{7E636BFE-DFA9-4D5E-B456-D7B39851D8A9}"
		$knownFolder94="{8983036C-27C0-404B-8F08-102D10DCFD74}"
		$knownFolder95="{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}"
		$knownFolder96="{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}"
		$knownFolder97="{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}"
		$knownFolder98="{767E6811-49CB-4273-87C2-20F355E1085B}"
		$knownFolder99="{24D89E24-2F19-4534-9DDE-6A6671FBB8FE}"
		$knownFolder100="{339719B5-8C47-4894-94C2-D8F77ADD44A6}"
		$knownFolder101="{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19},"
		$knownFolder102="{B97D20BB-F46A-4C97-BA10-5E3608430854},"
		$knownFolder103="{43668BF8-C14E-49B2-97C9-747784D784B7}"
		$knownFolder104="{289a9a43-be44-4057-a41b-587a76d7e7f9,"
		$knownFolder105="{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}"
		$knownFolder106="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}"
		$knownFolder107="{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}"
		$knownFolder108="{A63293E8-664E-48DB-A079-DF759E0509F7}"
		$knownFolder109="{9E3995AB-1F9C-4F13-B827-48B24B6C7174}"
		$knownFolder110="{0762D272-C50A-4BB0-A382-697DCD729B80}"
		$knownFolder111="{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}"
		$knownFolder112="{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}"
		$knownFolder113="{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}"
		$knownFolder114="{A302545D-DEFF-464b-ABE8-61C8648D939B}"
		$knownFolder115="{18989B1D-99B5-455B-841C-AB7C74E4DDFC}"
		$knownFolder116="{491E922F-5643-4AF4-A7EB-4E7A138D8174}"
		$knownFolder117="{F38BF404-1D43-42F2-9305-67DE0B28FC23}"
		$oid1="1.3.6.1.5.5.7.3.2"
		$oid2="2.16.840.1.113730.4.1"
		$oid3="1.3.6.1.4.1.311.10.3.3"
		$oid4="1.3.6.1.5.5.7.3.1"
		$oid5="1.3.6.1.4.1.311.2.1.12"
		$os1="Win8"
		$os2="WinServer2012"
		$os3="Win7"
		$os4="WinServer2008R2"
		$os5="WinServer2008"
		$os6="Vista"
		$os7="WinHomeServer"
		$os8="WinServer2003R2"
		$os9="WinServer2003"
		$os10="WinXP64"
		$os11="WinXP"
		$os12="Win2K"
		$os13="Windows Me"
		$os14="Windows 98"
		$os15="Windows 95"
		$os16="Windows NT"
		$os17="Windows Vista"
		$os18="Windows 7"
		$os19="Windows 8"
		$os20="Ultimate Edition"
		$os21="Home Premium Edition"
		$os22="Home Basic Edition"
		$os23="Enterprise Edition"
		$os24="Business Edition"
		$os25="Starter Edition"
		$os26="Cluster Server Edition"
		$os27="Datacenter Edition"
		$os28="Datacenter Edition (core installation)"
		$os29="Enterprise Edition (core installation)"
		$os30="Enterprise Edition for Itanium-based Systems"
		$os31="Small Business Server"
		$os32="Small Business Server Premium Edition"
		$os33="Standard Edition"
		$os34="Standard Edition (core installation)"
		$os35="Web Server Edition"
		$os36="Professional Edition"
		$os37="Windows Server 2003"
		$os38="Windows Server 2003 R2"
		$os39="Windows Storage Server 2003"
		$os40="Windows XP"
		$os41="Windows XP Professional x64 Edition"
		$os42="Windows XP Professional x64"
		$os43="Datacenter Edition for Itanium-based Systems"
		$os44="Datacenter x64 Edition"
		$os45="Enterprise x64 Edition"
		$os46="Standard x64 Edition"
		$os47="Compute Cluster Edition"
		$os48="Web Edition"
		$os49="Home Edition"
		$os50="Professional"
		$os51="Windows 2000"
		$os52="Datacenter Server"
		$os53="Advanced Server"
		$os54="Windows Home Server"
		$os55="Windows Server 2008"
		$os56="Windows Server R2"
		$privilege1="SeAssignPrimaryTokenPrivilege"
		$privilege2="SeAuditPrivilege"
		$privilege3="SeBackupPrivilege"
		$privilege4="SeChangeNotifyPrivilege"
		$privilege5="SeCreateGlobalPrivilege"
		$privilege6="SeCreatePagefilePrivilege"
		$privilege7="SeCreatePermanentPrivilege"
		$privilege8="SeCreateSymbolicLinkPrivilege"
		$privilege9="SeCreateTokenPrivilege"
		$privilege10="SeDebugPrivilege"
		$privilege11="SeEnableDelegationPrivilege"
		$privilege12="SeImpersonatePrivilege"
		$privilege13="SeIncreaseBasePriorityPrivilege"
		$privilege14="SeIncreaseQuotaPrivilege"
		$privilege15="SeIncreaseWorkingSetPrivilege"
		$privilege16="SeLoadDriverPrivilege"
		$privilege17="SeLockMemoryPrivilege"
		$privilege18="SeMachineAccountPrivilege"
		$privilege19="SeManageVolumePrivilege"
		$privilege20="SeProfileSingleProcessPrivilege"
		$privilege21="SeRelabelPrivilege"
		$privilege22="SeRemoteShutdownPrivilege"
		$privilege23="SeRestorePrivilege"
		$privilege24="SeSecurityPrivilege"
		$privilege25="SeShutdownPrivilege"
		$privilege26="SeSyncAgentPrivilege"
		$privilege27="SeSystemEnvironmentPrivilege"
		$privilege28="SeSystemProfilePrivilege"
		$privilege29="SeSystemtimePrivilege"
		$privilege30="SeTakeOwnershipPrivilege"
		$privilege31="SeTcbPrivilege"
		$privilege32="SeTimeZonePrivilege"
		$privilege33="SeTrustedCredManAccessPrivilege"
		$privilege34="SeUndockPrivilege"
		$privilege35="SeUnsolicitedInputPrivilege"
		$product1="76487-640-1457236-23837"
		$product2="76487-337-8429955-22614"
		$product3="76487-644-3177037-23510"
		$product4="76487-640-8834005-23195"
		$product5="76487-640-0716662-23535"
		$product6="76487-644-8648466-23106"
		$product7="76487-341-5883812-22420"
		$product8="76487-OEM-0027453-63796"
		$product9="76497-640-6308873-23835"
		$product10="55274-640-2673064-23950"
		$product11="00426-293-8170032-85146"
		$registry1="Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects"
		$registry2="\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\"
		$registry3="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Reliability"
		$registry4="SOFTWARE\\Policies\\Microsoft\\Cryptography\\AutoEnrollment"
		$registry5="SYSTEM\\CurrentControlSet\\Control\\CrashControl\\MachineCrash"
		$registry6="SYSTEM\\CurrentControlSet\\Control\\MiniNT"
		$registry7="SYSTEM\\CurrentControlSet\\Control\\Watchdog\\Display"
		$registry8="SYSTEM\\CurrentControlSet\\Services\\NetDDE"
		$registry9="SYSTEM\\CurrentControlSet\\Services\\netlogon\\parameters"
		$registry10="Software\\Microsoft\\Remote Desktop"
		$registry11="Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore"
		$registry12="Software\\Microsoft\\Windows NT\\CurrentVersion\\WPAReminders"
		$registry13="Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\LocalUsers"
		$registry14="Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"
		$registry15="Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SCLogon"
		$registry16="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Remote\\%d"
		$registry17="Software\\Microsoft\\Windows\\CurrentVersion\\ThemeManager\\Remote\\%d"
		$registry18="Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate"
		$registry19="Software\\Policies\\Microsoft\\System\\DNSclient"
		$registry20="Software\\Policies\\Microsoft\\Windows NT\\Terminal Services"
		$registry21="Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop"
		$registry22="Software\\Policies\\Microsoft\\Windows\\System\\Power"
		$registry23="Software\\Policies\\Microsoft\\Windows\\System\\Scripts\\"
		$registry24="System\\CurrentControlSet\\Control\\Lsa"
		$registry25="System\\CurrentControlSet\\Control\\SafeBoot\\Option"
		$registry26="System\\CurrentControlSet\\Control\\Session Manager\\Environment"
		$registry27="System\\CurrentControlSet\\Control\\Session Manager\\Memory ManagementLogonCrash"
		$registry28="System\\CurrentControlSet\\Control\\Terminal Server"
		$registry29="System\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core"
		$registry30="System\\CurrentControlSet\\Control\\Windows"
		$registry31="System\\CurrentControlSet\\Services\\Tcpip\\Parameters"
		$registry32="System\\WPA\\"
		$registry33="SOFTWARE\\Microsoft\\Windows Messaging Subsystem"
		$registry34="HARDWARE\\DEVICEMAP\\SERIALCOMM"
		$registry35="HARDWARE\\DEVICEMAP\\PARALLEL PORTS"
		$registry36="SOFTWARE\\KasperskyLab\\protected\\AVP9\\settings"
		$registry37="SOFTWARE\\KasperskyLab\\protected\\AVP8\\settings"
		$registry38="SOFTWARE\\kingsoft\\AntiVirus"
		$registry39="SOFTWARE\\JiangMin"
		$registry40="SOFTWARE\\Norton\\SecurityStatusSDK"
		$registry41="SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info"
		$registry42="SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters"
		$registry43="SYSTEM\\ControlSet001\\Services\\vmxnet"
		$registry44=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
		$registry45=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce"
		$registry46=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
		$registry47="Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
		$registry48="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"
		$registry49="Software\\Cisco Systems\\VPN Client\\AllAccess"
		$registry50="SOFTWARE\\AVAST Software"
		$registry51="SOFTWARE\\ESET"
		$registry52="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
		$registry53="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
		$registry54="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\UserReset"
		$registry55="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
		$registry56="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\"
		$registry57="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
		$registry58="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\"
		$registry59="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"
		$registry60="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
		$registry61="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\wdfmgr"
		$registry62="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\UserRestart"
		$registry63="System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations"
		$registry64="Software\\Microsoft\\Windows\\CurrentVersion"
		$registry65="Software\\Microsoft\\windows\\currentversion\\Internet Settings"
		$registry66="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
		$registry67="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
		$registry68="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
		$registry69="Software\\Microsoft\\windows\\currentversion\\Internet Settings"
		$registry70="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
		$registry71="Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileGuid"
		$registry72="Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
		$registry73="Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
		$registry74="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost"
		$registry75="Software\\Policies\\Microsoft\\Windows\\System"
		$registry76="System\\CurrentControlSet\\Control\\Session Manager"
		$registry77="CurrentVersion\\Run"
		$registry78="HKEY_CLASSES_ROOT"
		$registry79="HKEY_CURRENT_USER"
		$registry80="HKEY_LOCAL_MACHINE"
		$registry81="HKEY_USERS"
		$registry82="HKEY_PERFORMANCE_DATA"
		$registry83="HKEY_CURRENT_CONFIG"
		$registry84="HKEY_DYN_DATA"
		$registry85="Hardware\\Description\\System\\CentralProcessor"
		$registry86="Hardware\\ACPI\\DSDT"
		$registry87="HARDWARE\\DEVICEMAP\\SERIALCOMM"
		$registry88="HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"
		$registry89="HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"
		$registry90="SYSTEM\\CurrentControlSet\\Services\\mssmbios\\data"
		$registry91="SYSTEM\\CurrentControlSet\\Services\\"
		$registry92="SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip"
		$registry93="hklm\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}"
		$registry94="hklm\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}"
		$registry95="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
		$registry96="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"
		$registry97="SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupfolder"
		$registry98="SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupfolder\\"
		$registry99="SOFTWARE\\Microsoft\\Shared Tools\\MSConfig\\startupreg"
		$registry100="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
		$registry101="SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\"
		$registry102="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
		$registry103="DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
		$registry104="DisableTaskManager"
		$registry105="HKCU\\Control Panel\\Desktop"
		$registry106="SOFTWARE\\Classes\\TypeLib\\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}"
		$registry107="SOFTWARE\\Classes\\TypeLib\\{9EA55529-E122-4757-BC79-E4825F80732C}"
		$registry108="CLSID\\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\\InProcServer32"
		$registry109="SOFTWARE\\Classes\\TypeLib\\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\\1.2\\0\\win32"
		$registry110="SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List"
		$registry111="System\\CurrentControlSet\\Control\\BackupRestore\\FilesNotToBackup"
		$sddl1="S:(ML;;NRNWNX;;;LW)"
		$sddl2="S:(ML;CIOI;NRNWNX;;;LW)"
		$sddl3="S:(ML;CIOI;NRNWNX;;;LW)"
		$sddl4="S:(ML;;NW;;;LW)"
		$sddl5="S:(ML;;NW;;;S-1-16-0)"
		$sddl6="D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)"
		$sddl7="D:(A;OICI;GA;;;WD)S:(ML;CIOI;NRNWNX;;;LW)"
		$sddl8="D:(A;OICI;GA;;;WD)"
		$sddl9="D:(A;;GA;;;WD)S:(ML;;NRNWNX;;;LW)"
		$sddl10="D:(A;;GA;;;WD)"
		$sddl11="D:AI(A;;GAFA;;;WD)"
		$sddl12="D:AI(A;;RPWPCCDCLCSWRCWDWOGA;;;WD)"
		$sddl13="D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;GA;;;WD)"
		$sddl14="D:P(D;CIOI;GA;;;DG)(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;GA;;;WD)"
		$sddl15="D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(D;;SD;;;WD)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)"
		$sddl16="D:P(D;CIOI;GA;;;DG)(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(D;;SD;;;WD)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)"
		$sddl17="O:SYG:SYD:(A;;RC;;;SY)"
		$sid1="S-1-0"
		$sid2="S-1-0-0"
		$sid3="S-1-1"
		$sid4="S-1-1-0"
		$sid5="S-1-2"
		$sid6="S-1-2-0"
		$sid7="S-1-2-1"
		$sid8="S-1-3"
		$sid9="S-1-3-0"
		$sid10="S-1-3-1"
		$sid11="S-1-3-2"
		$sid12="S-1-3-3"
		$sid13="S-1-3-4"
		$sid14="S-1-5-80-0"
		$sid15="S-1-4"
		$sid16="S-1-5"
		$sid17="S-1-5-1"
		$sid18="S-1-5-2"
		$sid19="S-1-5-3"
		$sid20="S-1-5-4"
		$sid21="S-1-5-6"
		$sid22="S-1-5-7"
		$sid23="S-1-5-8"
		$sid24="S-1-5-9"
		$sid25="S-1-5-10"
		$sid26="S-1-5-11"
		$sid27="S-1-5-12"
		$sid28="S-1-5-13"
		$sid29="S-1-5-14"
		$sid30="S-1-5-15"
		$sid31="S-1-5-17"
		$sid32="S-1-5-18"
		$sid33="S-1-5-19"
		$sid34="S-1-5-20"
		$sid35="S-1-5-32-544"
		$sid36="S-1-5-32-545"
		$sid37="S-1-5-32-546"
		$sid38="S-1-5-32-547"
		$sid39="S-1-5-32-548"
		$sid40="S-1-5-32-549"
		$sid41="S-1-5-32-550"
		$sid42="S-1-5-32-551"
		$sid43="S-1-5-32-552"
		$sid44="S-1-5-64-10"
		$sid45="S-1-5-64-14"
		$sid46="S-1-5-64-21"
		$sid47="S-1-5-80"
		$sid48="S-1-5-80-0"
		$sid49="S-1-5-80-0"
		$sid50="S-1-5-83-0"
		$sid51="S-1-16-0"
		$sid52="S-1-16-4096"
		$sid53="S-1-16-8192"
		$sid54="S-1-16-8448"
		$sid55="S-1-16-12288"
		$sid56="S-1-16-16384"
		$sid57="S-1-16-20480"
		$sid58="S-1-16-28672"
		$sid59="S-1-5-32-554"
		$sid60="S-1-5-32-555"
		$sid61="S-1-5-32-556"
		$sid62="S-1-5-32-557"
		$sid63="S-1-5-32-558"
		$sid64="S-1-5-32-559"
		$sid65="S-1-5-32-560"
		$sid66="S-1-5-32-561"
		$sid67="S-1-5-32-562"
		$sid68="S-1-5-32-569"
		$sid69="S-1-5-32-573"
		$sid70="S-1-5-32-574"
		$sid71="S-1-5-32-575"
		$sid72="S-1-5-32-576"
		$sid73="S-1-5-32-577"
		$sid74="S-1-5-32-578"
		$sid75="S-1-5-32-579"
		$sid76="S-1-5-32-580"
		$sid77="S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"
		$userAgent1="Mozilla/4.0 (compatible; MSIE 6.0;"
		$userAgent2="Mozilla/4.0 (compatible; MSIE 6.0;"
		$userAgent3="Mozilla/4.0 (compatible; MSIE 5.0;"
		$userAgent4="Mozilla/4.0 (compatible; MSIE 7.0;"
		$userAgent5="Mozilla/4.0 (compatible; MSIE 8.0;"
		$userAgent6="Mozilla/5.0 (Windows NT 6.2;"
		$string1="PR_Bind"
		$string2="PR_Accept"
		$string3="PR_AcceptRead"
		$string4="PR_Connect"
		$string5="PR_Listen"
		$string6="PR_Read"
		$string7="PR_Write"
		$string8="PR_Writev"
		$string9="PR_Close"
		$string10="PR_Send"
		$string11="PR_TransmitFile"
		$string12="PR_OpenTCPSocket"
		$string13="PR_GetSocketOption"
		$string14="PR_SetSocketOption"
		$string15="PR_Shutdown"
		$string16="PR_GetError"
		$string17="PR_SetError"
		$string18="PR_GetNameForIdentity"
		$string19="ActiveX Control"
		$string20="\\\\.\\PhysicalDrive%d"
		$string21="Microsoft Windows Auto Update"
		$string22="PB_DropAccept"
		$string23="PB_WindowID"
		$string24="IsAdmin"
		$string25="CryptKeyType"
		$string26="CryptKeyId"
		$string27="NetAdapter"
		$string28="Gateway"
		$string29="PriWinsServer"
		$string30="SecWinsServer"
		$string31="DHCPServer"
		$string32="DnsServer"
		$string33="Microsoft Enhanced Cryptographic Provider v1.0"
		$string34="FtpServer"
		$string35="FtpUserName"
		$string36="FtpPassword"
		$string37="FtpDirectory"
		$string38="RootDirectory"
		$string39="Port"
		$string40="ServerType"
		$string41="onEnterFrame"
		$string42="attachMovie"
		$string43="error to get HDD firmware serial"
		$string44="aPLib v1.01  -  the smaller the better :)"
		$string45="TrojanEngine"
		$string46="Clinic"
		$string47="NetMon"
		$string48="FileSmash"
		$string49="SafeBox"
		$string50="IERepair"
		$string51="KillVirus"
		$string52="SoftMove"
		$string53="SysClean"
		$string54="Trojan"
		$string55="CrashStackLen"
		$string56="CrashDumpLen"
		$string57="CrashStackBase64Len"
		$string58="CrashDumpBase64Len"
		$string59="CrashStack"
		$string60="MinDump"
		$string61="PaySafeCard"
		$string62="MoneyPak"
		$string63="moneypak"
		$string64="Safengine Shielden v2.3.0.0"
		$string65="MSFT"
		$string66="EnumProcess"
		$string67="InjectByPid"
		$string68="Send to Server failed."
		$string69="HandShake with the server failed. Error:"
		$string70="Microsoft Unified Security Protocol Provider"
		$string71="ddos.bot"
		$string72="passwords"
		$string73="httpserver"
		$string74="makedir"
		$string75="sendkeys"
		$string76="opencmd"
		$string77="ProcessorNameString"
		$string78="Identifier"
		$string79="VendorIdentifier"
		$string80="SystemBiosVersion"
		$string81="SystemBiosDate"
		$string82="VideoBiosVersion"
		$string83="VideoBiosDate"
		$string84="Windows File Protection"
		$string85="LogonFailure"
		$string86="killthread"
		$string87="startkeylogger"
		$string88="stopkeylogger"
		$string89="listprocesses"
		$string90="killprocess"
		$string91="stopspy"
		$string92="redirectspy"
		$string93="stopredirectspy"
		$string94="kazaabackupfiles"
		$string95="SC_MONITORPOWER"
		$string96="HWND_BROADCAST"
		$string97="IsConnectedToInternet"
		$string98="get_MachineName"
		$string99="MacAddress"
		$string100="EmailAddress"
		$string101="PopServer"
		$string102="PopPort"
		$string103="PopAccount"
		$string104="PopPassword"
		$string105="SmtpServer"
		$string106="SmtpPort"
		$string107="SmtpAccount"
		$string108="SmtpPassword"
		$string109="WininetCacheCredentials"
		$string110="MS IE FTP Passwords"
		$string111="PasswordType"
		$string112="SMTP Password"
		$string113="HTTPMail Password"
		$string114="NNTP Password"
		$string115="IMAP Password"
		$string116="POP3 Password"
		$string117="NNTP Password"
		$string118="IMAP Password"
		$string119="POP3 Password"
		$string120="IMAP Port"
		$string121="SMTP Port"
		$string122="POP3 Port"
		$string123="SMTP User"
		$string124="HTTPMail Server"
		$string125="IMAP User"
		$string126="POP3 User"
		$string127="HTTP Server URL"
		$string128="HTTP User"
		$string129="Email"
		$string130="IMAP User Name"
		$string131="IMAP Server"
		$string132="NNTP Server"
		$string133="NNTP User Name"
		$string134="NNTP Email Address"
		$string135="SMTP User Name"
		$string136="SMTP Server"
		$string137="SMTP Email Address"
		$string138="ClearBrowsingHistoryOnExit"
		$string139="GetMACAddress"
		$string140="GetProcessesByName"
		$string141="WebRequest"
		$string142="WebResponse"
		$string143="GetResponse"
		$string144="GetVolumeSerial"
		$string145="ENCRYPtSTRING"
		$string146="ENCRYPTBYTe"
		$string147="VBRUN"
		$string148="Blowfish"
		$string149="CreateDecryptor"
		$string150="MD5CryptoServiceProvider"
		$string151="TripleDESCryptoServiceProvider"
		$string152="PaddingMode"
		$string153="iexplorer"
		$string154="Shell_TrayWnd"
		$string155="ExecuteCommand"
		$string156="RunPE"
		$string157="CCleaner"
		$string158="Binder"
		$string159="SpyTheSpy"
		$string160="TCPEye"
		$string161="SpeedGear"
		$string162="taskmgr"
		$string163="IPBlocker"
		$string164="CCleaner"
		$string165="procexp"
		$string166="Windows Update"
		$string167="Payment ok"
		$string168="Payment Received. Proceed to decryption."
		$string169="Waiting Payment"
		$string170="Waiting TOR Connection"
		$string171="TorLocker"
		$string172="proxyPort = 58010"
		$string173="socksParentProxy = 127.0.0.1:9150"
		$string174="socksProxyType = socks5"
		$string175="TorLocker_v0.9.3"
		$string176="127.0.0.1:58010"
		$string177="Wallpaper"
		$string178="kippohome"
		$string179="huffman"
		$string180="DecodeHuffman"
		$string181="Decode"
		$string182="Inflate"
		$string183="Unzip"
		$string184="ZipAndEncrypt"
		$string185="ZipAndAES"
		$string186="LoadFile"
		$string187="SafenSoft"
		$string188="SysWatch"
		$string189="McAfee"
		$string190="Security Center"
		$string191="Symantec"
		$string192="Protection"
		$string193="Norton"
		$string194="ReadPort"
		$string195="WritePort"
		$string196="cookie_module"
		$string197="Proxy-Connection"
		$string198="CompressAndSend"
		$string199="EncryptFile"
		$string200="RunAsShellUser"
		$string201="SVNCStartServer"
		$string202="Terminal Server"
		$string203="WinNT"
		$string204="Enterprise"
		$string205="LanmanNT"
		$string206="BEGIN"
		$string207="CONNECTED"
		$string208="SENDME"
		$string209="EXTEND"
		$string210="EXTENDED"
		$string211="TRUNCATE"
		$string212="TRUNCATED"
		$string213="RESOLVE"
		$string214="RESOLVED"
		$string215="BEGIN_DIR"
		$string216="ESTABLISH_INTRO"
		$string217="ESTABLISH_RENDEZVOUS"
		$string218="INTRODUCE1"
		$string219="INTRODUCE2"
		$string220="RENDEZVOUS1"
		$string221="RENDEZVOUS2"
		$string222="INTRO_ESTABLISHED"
		$string223="RENDEZVOUS_ESTABLISHED"
		$string224="INTRODUCE_ACK"
		$string225="system.log"
		$string226="tor.exe"
		$string227="tcpdump.exe"
		$string228="windump.exe"
		$string229="ethereal.exe"
		$string230="wireshark.exe"
		$string231="ettercap.exe"
		$string232="snoop.exe"
		$string233="dsniff.exe"
		$string234="ChewBacca/"
		$string235="chewbacca"
		$string236=".onion/"
		$string237="TMemoryScanner"
		$string238="Symantec Shared"
		$string239="CWSandbox"
		$string240="AVAST Software"
		$string241="Virtual HD"
		$string242="News Letter"
		$string243="Subject:"
		$string244="db2admin"
		$string245="nopassword"
		$string246="password12"
		$string247="secret"
		$string248="superman"
		$string249="iloveyou"
		$string250="hello"
		$string251="helpme"
		$string252="hockey"
		$string253="home123"
		$string254="changeme"
		$string255="MsComCtl.ocx"
		$string256="HotTracking"
		$string257="OpenProcessToken fail"
		$string258="AdjustTokenPrivileges fail"
		$string259="replacement"
		$string260="settings"
		$string261="formgrabber"
		$string262="redirects"
		$string263="httpinjects"
		$string264="Transfer-Encoding"
		$string265="modify"
		$string266="pattern"
		$string267="conditions"
		$string268="actions"
		$string269="process"
		$string270="NtShutdownSystem"
		$string271="coin-miner"
		$string272="regwrite"
		$string273="urlmon"
		$string274="Internet Explorer"
		$string275="inhibitPolicyMapping"
		$string276="infinite"
		$string277="Bad time value"
		$string278="pubkey.bin"
		$string279="openssl"
		$string280="relativename"
		$string281="Polynomial"
		$string282="AES"
		$string283="RSA"
		$string284="RID"
		$string285="cryptedcount.txt"
		$string286="explicitText"
		$string287="ASN1"
		$string288="requireExplicitPolicy"
		$string289="LanmanWorkstation"
		$string290="LanmanServer"
		$string291="DNS"
		$string292="Salt Length"
		$string293="Seed"
		$string294="Prime"
		$string295="config.nt"
		$string296="autoexec.nt"
		$string297="protocol testing"
		$string298="experience Destroy"
		$string299="go.exe"
		$string300="userinit.exe"
		$string301="Dispatch"
		$string302="winsock"
		$string303="connection failed"
		$string304="open internet failed"
		$string305="payload"
		$string306="Wscript.Shell"
		$string307="Shell.Application"
		$string308="createobject"
		$string309="Setup.exe"
		$string310="Extracting"
		$string311="UltraVnc"
		$string312="UltraVncSC"
		$string313="RunProgram"
		$string314="*.ocx"
		$string315="*.dll"
		$string316="IMAGEHLP.dll"
		$string317="Signature"
		$string318="installer.exe"
		$string319="Fast decoding"
		$string320="Win32.exe"
		$string321="Gina"
		$string322="cgets"
		$string323="Macromedia"
		$string324="FlashPlayer"
		$string325="NetworkService\\Cookies\\"
		$string326="Scheduler"
		$string327="Local Settings\\History\\History.IE5"
		$string328="leave the progress due to 10 attempts"
		$string329="unrarw32"
		$string330="server"
		$string331="verifyinginstaller"
		$string332="xxx.exe"
		$string333="Mozilla"
		$string334="CONNECT"
		$string335="system.exe"
		$string336="cmd.exe"
		$string337="AppData"
		$string338="admin"
		$string339="msnmsgr.exe"
		$string340="Microsoft.VisualBasic"
		$string341="Dictionary"
		$string342="Protocol not supported"
		$string343="referer"
		$string344="partner_online_url"
		$string345="partner_new_url"
		$string346="runprog.exe"
		$string347="CDATA["
		$string348="exe.agent.mail"
		$string349="mail.ru"
		$string350="password"
		$string351="Launcher"
		$string352="setup"
		$string353="remote"
		$string354="random"
		$string355="inject"
		$string356="hook"
		$string357="crack"
		$string358="script"
		$string359="browse"
		$string360="Clipboard"
		$string361="Event"
		$string362="Privilege"
		$string363="Reboot"
		$string364="CABINET"
		$string365="extract"
		$string366="rundll32.exe"
		$string367="REGTLIB.EXE"
		$string368="VB Runtime Installation"
		$string369="Command.com"
		$string370="Resume"
		$string371="Pause"
		$string372="Socket"
		$string373="GetCode"
		$string374="Console"
		$string375="LZStart"
		$string376="About:blank"
		$string377="shell"
		$string378="666"
		$string379="alert"
		$string380="reverse"
		$string381="swap"
		$string382="logon"
		$string383="logoff"
		$string384="HookProc"
		$string385="attempt"
		$string386="users"
		$string387="load"
		$string388="query"
		$string389="scan"
		$string390="module"
		$string391="drop"
		$string392="loop"
		$string393="wait"
		$string394="iexplore.exe"
		$string395="Download"
		$string396="Upload"
		$string397="CONNECT"
		$string398="wuauclt.exe"
		$string399="Poison.exe"
		$string400="explorer.exe"
		$string401="pipe"
		$string402="Transaction"
		$string403="Created by"
		$string404="Accept: */*"
		$string405="setup.exe"
		$string406="inetinfo.exe"
		$string407="WinDir"
		$string408="update.html"
		$string409="exec error"
		$string410="application/x-www-form-urlencoded"
		$string411="LordPE"
		$string412="Silvana"
		$string413="petite"
		$string414="PROGRAM"
		$string415="deflate"
		$string416="60794-12b3-e4169440"
		$string417="Keep-Alive"
		$string418="Referer"
		$string419="WinSta0"
		$string420="Gh0st"
		$string421="Update"
		$string422="CapsLock"
		$string423="svcshost.exe"
		$string424="Forbidden"
		$string425="Accepted"
		$string426="sessionid"
		$string427="sharedaccess"
		$string428="localgroup"
		$string429="administrators"
		$string430="Administrator"
		$string431="guest"
		$string432="RDP-Tcp"
		$string433="UnknownProcess"
		$string434="%d Day %d Hour %d Min"
		$string435="termsrv_t"
		$string436="Winlogon"
		$string437="nsocket"
		$string438="repeat"
		$string439="compression"
		$string440="dictionary"
		$string441="userprofile"
		$string442="webkit"
		$string443="command"
		$string444="tracing"
		$string445="sandbox"
		$string446="keystroke"
		$string447="Adobe"
		$string448="scanning"
		$string449="Callback"
		$string450="torrent"
		$string451="Outsanding"
		$string452="localhost"
		$string453="proxy"
		$string454="downspeed"
		$string455="korean"
		$string456="chinese"
		$string457="japanese"
		$string458="interval"
		$string459="webseeds"
		$string460="666"
		$string461="POST"
		$string462="fingerprint"
		$string463="DNA_Proxy"
		$string464="min_http_connections"
		$string465="Unauthorized"
		$string466="pairing"
		$string467="TOKEN"
		$string468="subscribe"
		$string469="guest.html"
		$string470="announce"
		$string471="multicast"
		$string472="payload"
		$string473="DEBUG"
		$string474="UPnP"
		$string475="channel"
		$string476="tracker"
		$string477="NAT"
		$string478="DHCP"
		$string479="Host"
		$string480="keyhash"
		$string481="packet"
		$string482="watchdog"
		$string483="shared"
		$string484="are you debugging me"
		$string485="ThisprogrammustberununderWin32"
		$string486="Shit!!"
		$string487="PrepareOurShit"
		$string488="Exefiles"
		$string489="Scanning"
		$string490="StdOut"
		$string491="Codecs"
		$string492="ProgramFilesDir"
		$string493="Install"
		$string494="\\Temp"
		$string495="SHFOLDER"
		$string496="NullsoftInst"
		$string497="WinRAR SFX"
		$string498="287333.dat"
		$string499="\\\\cryptme\\\\"
		$string500="Autoit3.824383.exe"
		$string501="run.vbs"
		$string502="{0000054f-0000-0010-8000-00aa006d2ea4}"
		$string503="username"
		$string504="Password"
		$string505="Username"
		$string506="Expires"
		$string507="User-Agent"
		$string508="Cookie"
		$string509="taskmgr.exe"
		$string510="regedit.exe"
		$string511="serialNumber"
		$string512="userPassword"
		$string513="public_key"
		$string514="serial"
		$string515="Public-Key"
		$string516="Private-Key"
		$string517="Seed:"
		$string518="encryption"
		$string519="PECompact2"
		$string520="logFile"
		$string521="index.html"
		$string522="application/pdf"
		$string523="Run as a daemon"
		$string524="http.c"
		$string525="client.c"
		$string526="127.0.0.1"
		$string527="serverTimeout"
		$string528="Server closed connection"
		$string529="nameserver"
		$string530="autorun.exe"
		$string531="Autorun.exe"
		$string532="COMSPEC"
		$string533="csrss.exe"
		$string534="OLLYDBG"
		$string535="WinDbgFrameClass"
		$string536="BankID"
		$string537="DANCHODANCHEV_END_BRIANKREBS_GOT_FARRIED"
		$string538="Timer1"
		$string539="Timer2"
		$string540="Timer3"
		$string541="Mscomctl32.ocx"
		$string542="WebBrowser"
		$string543="Logout"
		$string544="VBA6.DLL"
		$string545="9368265E-85FE-11d1-8BE3-0000F8754DA1"
		$string546="TIPOFDAY.TXT"
		$string547="Scripting.FileSystemObject"
		$string548="LoVein1"
		$string549="MZKERNEL32.DLL"
		$string550="KerNel32.dll"
		$string551="downloader"
		$string552="browser"
		$string553="NETSCAPE2.0"
		$string554="opera"
		$string555="RemoveRange"
		$string556="AuthenticationMode"
		$string557="Downloader"
		$string558="chromepref"
		$string559="Downloader.exe"
		$string560="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
		$string561="FPC 2.7.1 [2013/10/22] for i386 - Win32"
		$string562="pipedatacontinue"
		$string563="sdwefa.gif"
		$string564="CONIN$"
		$string565="CONOUT$"
		$string566="~MS80547.bat"
		$string567="Shell"
		$string568="reg.exe"
		$string569="IE 8.5"
		$string570="start"
		$string571="whoami"
		$string572="pidrun"
		$string573="geturl"
		$string574="rusinfo.exe"
		$string575="letusgohtppmmv1.0"
		$string576="letusgohtppmmv2.0.0.1"
		$string577="Sometimes"
		$string578="Destroy"
		$string579="likubes"
		$string580="fine musicians"
		$string581="file not found"
		$string582="brothers-in-law"
		$string583="_RTL_CRITICAL_SECTION_DEBUG"
		$string584="_RTL_CRITICAL_SECTION"
		$string585="_SECURITY_ATTRIBUTES"
		$string586="lpSecurityDescriptor"
		$string587="SysUtils"
		$string588="ActiveX"
		$string589="700.bat"
		$string590="Sitikat"
		$string591="1.exe"
		$string592="UpdateOffice.exe"
		$string593="pangtip.bat"
		$string594="ping"
		$string595="pkxm"
		$string596="pangtip.bat"
		$string597="Reply from"
		$string598="DCOM not installed"
		$string599="PROXY_TYPE_DIRECT"
		$string600="PROXY_TYPE_AUTO_DETECT"
		$string601="downfile"
		$string602="upfile"
		$string603="quitz"
		$string604="debugmessage"
		$string605="debugclient"
		$string606="debugfile"
		$string607="delfile"
		$string608="delmessage"
		$string609="delclient"
		$string610="listfiles"
		$string611="listmessages"
		$string612="listclients"
		$string613="WinSta0\\Default"
		$string614="POST"
		$string615="CONNECT"
		$string616="NetSubKey"
		$string617="FileDescrsiption"
		$string618="state.ini"
		$string619="Accepted:"
		$string620="sha256"
		$string621="sinzy"
		$string622="AckPacket"
		$string623="Connection"
		$string624="autoRunKeyPath"
		$string625="SIGNATURE"
		$string626="messageId"
		$string627="HeartBeat"
		$string628="Request"
		$string629="Unload"
		$string630="RequestLoop"
		$string631="HeartBeatLoop"
		$string632="TcpClient"
		$string633="Connect"
		$string634="Login"
		$string635="CurrentUser"
		$string636="CreateDomain"
		$string637="ComputeHash"
		$string638="cookies.*"
		$string639="Tfrmrpcap"
		$string640="ProcessLasso_Notification_Class"
		$string641="TSystemExplorerTrayForm.UnicodeClass"
		$string642="PROCMON_WINDOW_CLASS"
		$string643="PROCEXPL"
		$string644="WdcWindow"
		$string645="ProcessHacker"
		$string646="Dumper"
		$string647="Dumper64"
		$string648="APISpy32Class"
		$string649="Zone.Identifier"
		$string650=":Zone.Identifier"
		$string651="runas"
		$string652="sysprep"
		$string653="TokenPrivilege"
		$string654="Shutdown"
		$string655="WebKit2WebProcess"
		$string656="cmd /c net start %s"
		$string657="Sleeping"
		$string658="Ivan Medvedev"
		$string659="Rijndael"
		$string660="SystemBiosVersion"
		$string661="VideoBiosVersion"
		$string662="VirtualBox"
		$string663="Identifier"
		$string664="UDPV6"
		$string665="TCPV6"
		$string666=" deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly"
		$string667=" inflate 1.2.3 Copyright 1995-2005 Mark Adler"
		$string668=" deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
		$string669=" deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
		$string670=" inflate 1.1.4 Copyright 1995-2002 Mark Adler"
		$string671="History"
		$string672="ProductType"
		$string673="RegisterRawInputDevices"
		$string674="GetRawInputData"
		$string675="protocol>"
		$string676="sqlite3_open"
		$string677="sqlite3_close"
		$string678="sqlite3_prepare_v2"
		$string679="sqlite3_step"
		$string680="sqlite3_column_text"
		$string681="plugins"
		$string682="Hibernating"
		$string683="Valid"
		$string684="Running"
		$string685="downtime-started"
		$string686="uptime-started"
		$string687="Intel Hardware Cryptographic Service Provider"
		$string688="lpAddress"
		$string689="BeginInvoke"
		$string690="EndInvoke"
		$string691="StatusChecker"
		$string692="Encoding"
		$string693="semaphore"
		$string694="stand by"
		$string695="startime"
		$string696="status"
		$string697="taskeng.exe"
		$string698="taskhost.exe"
		$string699="taskhostex.exe"
		$string700="throttle"
		$string701="Mandatory Level"
		$string702="*.DMP"
		$string703="*.dmp"
		$string704="_invoke_watson"
		$string705="remove"
		$string706="debug"
		$string707="Starting..."
		$string708="hostname"
		$string709="clientkey"
		$string710="reqfilepath"
		$string711="reqfile"
		$string712="postvalue"
		$string713="postfile"
		$string714="postdata"
		$string715="mkdir"
		$string716="rmdir"
		$string717="chdir"
		$string718="Creating service database record..."
		$string719="svchost"
		$string720="rpcsrv"
		$string721="Setting service description..."
		$string722="svchost"
		$string723="Opening and Quering Service..."
		$string724="Service is running, wait until stopped..."
		$string725="Stopped"
		$string726="Deleting Service..."
		$string727="Service uninstall success."
		$string728="CompareString"
		$string729="Engine started"
		$string730="Running in background"
		$string731="Stale thread"
		$string732="Locking doors"
		$string733="Rotors engaged"
		$string734="I'm going to start it"
		$string735="\\DosDevices\\DKOM_Driver"
		$string736="\\Device\\DKOM_Driver"
		$string737="Process successfully hidden."
		$string738="Process ID: %d"
		$string739="EPROCESS address: %#x"
		$string740="ActiveProcessLinks offset: %#x"
		$string741="Extracting %s"
		$string742="Your message has been sended"
		$string743="Couponserver"
		$string744="xmlUrl"
		$string745="yahoo"
		$string746="LoadXml"
		$string747="LocalMachine"
		$string748="DownloadAll"
		$string749="DownloadComplete"
		$string750="DownloadFile"
		$string751="DownloadFileAsync"
		$string752="DownloadServer"
		$string753="DownloadThreads"
		$string754="DownloadUrl"
		$string755="Downloaded"
		$string756="DownloadedBrowser"
		$string757="Downloading..."
		$string758="CorruptedMachine"
		$string759="HtmlGenerator"
		$string760="MachineInfo"
		$string761="MachineRestriction"
		$string762="RegSAM"
		$string763="Security"
		$string764="MemoryManagement"
		$string765="Trackingurls"
		$string766="TypeChekDomain"
		$string767="DownloadUrl"
		$string768="QueueDownloader"
		$string769="ZipManager"
		$string770="ZipStorer"
		$string771="Firefox"
		$string772="Chrome"
		$string773="InternetExplorer"
		$string774="GetIEVersion"
		$string775="GetWBVersion"
		$string776="webBrowser1"
		$string777="changeHtmlCode"
		$string778="retries"
		$string779="completed"
		$string780="addextension"
		$string781="DownloadComplete"
		$string782="add_DownloadComplete"
		$string783="remove_DownloadComplete"
		$string784="DownloadThreads"
		$string785="Arquitecture"
		$string786="Monetizer"
		$string787="yahoo"
		$string788="internetTurbo"
		$string789="strongvault"
		$string790="amonetize"
		$string791="Couponserver"
		$string792="ShoppingChip"
		$string793="UsedBrowser"
		$string794="AndroidAPK"
		$string795="IexplorerMinVersion"
		$string796="checkMachineInfo"
		$string797="checkYahooBug"
		$string798="checkCouponserver"
		$string799="checkInternet"
		$string800="checkAOLbug"
		$string801="hideWhenInstalling"
		$string802="idPromo"
		$string803="WebmasterId"
		$string804="firewalls"
		$string805="IsControlled"
		$string806="Microsoft Network Monitoring Service"
		$string807="MsNetMonitor"
		$string808="HideWindow"
		$string809="firewall"
		$string810="IsUserAdministrator"
		$string811="CreateSubKey"
		$string812="NotifyDownloading"
		$string813="isvirtualMachine"
		$string814="isdebugging"
		$string815="HasDebugger"
		$string816="debugging"
		$string817="checkurls"
		$string818="ListSoftwares"
		$string819="CheckAdminPrivileges"
		$string820="TrackOnDefaultBrowser"
		$string821="GetDomain"
		$string822="checkdomain"
		$string823="bytesDownloaded"
		$string824="God Mode"
		$string825="logger"
		$string826="This plugin is already loaded."
		$string827="The plugin you are trying to load does not exist"
		$string828="Whitelist protection on"
		$string829="Hook cleaning on"
		$string830="PiD obfuscation on"
		$string831="Code injection successful!"
		$string832="Code injection failed!"
		$string833="Injecting code ..."
		$string834="Code Injection"
		$string835="Creating a remote thread ..."
		$string836="Keylogging disabled."
		$string837="failed to get memory"
		$string838="$Id: qmath.h,v 1.1 2004/01/15 19:50:35 jonbennett Exp $"
		$string839="#requireadmin"
		$string840="#notrayicon"
		$string841="#include-once"
		$string842="regedt32.sys"
		$string843="D:\\RECYCLER\\"
		$string844="Windows Registry Editor Version 5.00"
		$string845="start"
		$string846="stop"
		$string847="DisallowRun"
		$string848="NoDriveTypeAutoRun"
		$string849="HideFileExt"
		$string850="Hidden"
		$string851="SuperHidden"
		$string852="Application cannot be run with debugger or monitoring tool(s) loaded!"
		$string853="Logon User Name"
		$string854="NoFolderOptions"
		$string855="Happy BirthDay my's Boss"
		$string856="Merry Christmas"
		$string857="Access denied!"
		$string858="Total entries: %d"
		$string859="Entries enumerated: %d"
		$string860="Upload file ok!"
		$string861="create remote file error!"
		$string862="Download file ok!"
		$string863="Reading remote file error!"
		$string864="create pipe error!"
		$string865="start cmd error!"
		$string866="Logon user err!"
		$string867="execute error!"
		$string868="bind cmd frist!"
		$string869="CS thread still active!"
		$string870="get user name error!"
		$string871="can't get ver info!"
		$string872="Windows?"
		$string873="Remote"
		$string874="Ramdisk"
		$string875="Client process-%d-stoped!"
		$string876="Create localfile error!"
		$string877="DownloadEnd"
		$string878="List domain server ok!#"
		$string879="fileupload"
		$string880="cruisenet"
		$string881="chunked"
		$string882="bankman"
		$string883="javascript:"
		$string884=" unzip 0.15 Copyright 1998 Gilles Vollant "
		$string885="Schedule service command line interface"
		$string886="This operation will delete all scheduled jobs."
		$string887="The AT schedule file was cleared."
		$string888="Deletes one or more files."
		$string889="Creates a directory."
		$string890="Removes (deletes) a directory."
		$string891="already running"
		$string892="Botnet has been shutdown - restart bot?"
		$string893="Botnet shutdown"
		$string894="QUIT :Botnet shutdown"
		$string895="PRIVMSG %s :bingo - botnet shutting down"
		$string896="Resistance is futile"
		$string897="No malware here, honest guv!"
		$string898="Anti-debug"
		$string899="misery mystery"
		$string900="malfor"
		$string901="AppleMac"
		$string902=".detour"
		$string903="Detoured"
		$string904=".memdump"
		$string905="Client hook allocation failure."
		$string906="silentpostback"
		$string907="AlreadyRunning"
		$string908="StubInfo"
		$string909="wrapper"
		$string910="keeplog"
		$string911="pingdialog"
		$string912="runonce"
		$string913="noreq"
		$string914="verifycookies"
		$string915="account"
		$string916="accountid"
		$string917="selftest"
		$string918="silenterr"
		$string919="preload"
		$string920="PostbackSent"
		$string921="StubRun"
		$string922="StubExtract"
		$string923="WaitablePort"
		$string924="Waiting"
		$string925="Waiting Connections"
		$string926="ServiceMain"
		$string927="ServTestDos"
		$string928="VBoxGuest"
		$string929="Betabot"
		$string930="HGFS"
		$string931="Hashtable"
		$string932="GetResourceString"
		$string933="Monitor"
		$string934="www.memtest86.com"
		$string935="boxedapp.com"
		$string936="julian seward"
		$string937="RegServer"
		$string938="Send ack is successful."
		$string939="Get the right data."
		$string940="Receiving acknowledgment is successful."
		$string941="Receiving packet failed."
		$string942="Sending packet success..."
		$string943="Can't get the right data"
		$string944="Initialization is successful."
		$string945="Initialization is failed."
		$string946="tempPass.txt"
		$string947="POP3 Password2"
		$string948="POP3 Server"
		$string949="POP3 User Name"
		$string950="HTTPMail Password2"
		$string951="Hotmail"
		$string952="HTTPMail User Name"
		$string953=" 2004, 2005 Pierre le Riche / Professional Software Development"
		$string954="Broadcast adress :"
		$string955="Broadcasts : NO"
		$string956="Broadcasts : YES"
		$string957="SHELLEXECUTE"
		$string958="SHELLEXECUTEWAIT"
		$string959="#BOT#CloseServer"
		$string960="#BOT#OpenUrl"
		$string961="#BOT#Ping"
		$string962="#BOT#RunPrompt"
		$string963="#BOT#SvrUninstall"
		$string964="#BOT#URLDownload"
		$string965="#BOT#URLUpdate"
		$string966="#BOT#VisitUrl"
		$string967="#CAMEND"
		$string968="#FreezeIO"
		$string969="#GetClipboardText"
		$string970="#GetScreenSize"
		$string971="#KCMDDC51#-"
		$string972="#KEEPALIVE#"
		$string973="#RemoteScreenSize"
		$string974="#SendClip"
		$string975="#SendTaskMgr"
		$string976="#UnFreezeIO"
		$string977="%IPPORTSCAN"
		$string978="ActiveOfflineKeylogger"
		$string979="ActiveOnlineKeyStrokes"
		$string980="ActiveOnlineKeylogger"
		$string981="AntiVirusDisableNotify"
		$string982="BTMemoryLoadLibary: Can't attach library"
		$string983="Be Right Back"
		$string984="DownloadFail"
		$string985="DownloadSuccess"
		$string986="Progman"
		$string987="Sender"
		$string988="UPLOADEXEC"
		$string989="UPLOADFILE"
		$string990="UnActiveOfflineKeylogger"
		$string991="UnActiveOnlineKeyStrokes"
		$string992="UnBlockContact"
		$string993="Video Capture"
		$string994="WEBCAMLIVE"
		$string995="WEBCAMSTOP"
		$string996="drivers\\etc\\hosts"
		$string997="unknown compression method"
		$string998="wscsvc"
		$string999="fukoff"
		$string1000="httpstop"
		$string1001="logstop"
		$string1002="ftfpstop"
		$string1003="procsstop"
		$string1004="securestop"
		$string1005="reconnect"
		$string1006="disconnect"
		$string1007="botid"
		$string1008="aliases"
		$string1009="flusharp"
		$string1010="flushdns"
		$string1011="crash"
		$string1012="killthreads"
		$string1013="killproc"
		$string1014="killid"
		$string1015=".download"
		$string1016=".update"
		$string1017="Kennwort"
		$string1018="Object dump complete."
		$string1019="PAYPAL"
		$string1020="PAYPAL.COM"
		$string1021="Ping flood"
		$string1022="ROOTED"
		$string1023="Rebooting system"
		$string1024="Reconnecting"
		$string1025="Referer: %s"
		$string1026="Remote Command Prompt"
		$string1027="Removing Bot"
		$string1028="[DDoS]"
		$string1029="[KEYLOG]: %s"
		$string1030="[PRSC]"
		$string1031="[PSNIFF]"
		$string1032="[PING]"
		$string1033="[TFTP]"
		$string1034="[UPD]"
		$string1035="administrador"
		$string1036="administrat"
		$string1037="administrateur"
		$string1038="Download complete"
		$string1039="ALIEN-Z"
		$string1040="\\Google\\Chrome\\User Data"
		$string1041="VncSrvWndProc"
		$string1042="VncStopServer"
		$string1043="VncStartServer"
		$string1044="VNCCreateServer"
		$string1045="VNCServerThread"
		$string1046="VNCStartServer"
		$string1047="FPUMaskValue"
		$string1048="PhysicalDrive0"
		$string1049="Protection Error"
		$string1050="LOADER ERROR"
		$string1051="The procedure entry point"
		$string1052="Invalid DOS signature"
		$string1053="Invalid COFF signature"
		$string1054="Invalid Windows Image"
		$string1055="Host is down."
		$string1056="No route to host."
		$string1057="CoMessengerU"
		$string1058="debugger"
		$string1059="sample"
		$string1060="virtual"
		$string1061="emulat"
		$string1062="GetProcesses"
		$string1063="MemoryStream"
		$string1064="GZipStream"
		$string1065="MulticastDelegate"
		$string1066="IAT processed"
		$string1067="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
		$string1068="putfile:"
		$string1069="getfile:"
		$string1070="outlook"
		$string1071="iexplore"
		$string1072="source"
		$string1073="Connecting"
		$string1074="Downloading"
		$string1075="Cancelled"
		$string1076="Connecting"
		$string1077="Reconnect Pause"
		$string1078="Terminated"
		$string1079="Transfer Error"
		$string1080="Connection Error"
		$string1081="OpenRequest Error"
		$string1082="SendRequest Error"
		$string1083="URL Parts Error"
		$string1084="CreateThread Error"
		$string1085="Request Error"
		$string1086="Server Error"
		$string1087="Redirection"
		$string1088="TypeLib"
		$string1089="Hardware"
		$string1090="Interface"
		$string1091="FileType"
		$string1092="Component Categories"
		$string1093="CLSID"
		$string1094="AppID"
		$string1095="Delete"
		$string1096="NoRemove"
		$string1097="ForceRemove"
		$string1098="Keylogger"
		$string1099="crypter"
		$string1100="dump"
		$string1101="vbox"
		$string1102="NetKeyLogger"
		$string1103="TARGET"
		$string1104="pipeline"
		$string1105="miner"
		$string1106="Execute ERROR"
		$string1107="Download ERROR"
		$string1108="Executed As"
		$string1109="Execute ERROR"
		$string1110="Update ERROR"
		$string1111="Updating To"
		$string1112="Update ERROR"
		$string1113="ASPNET"
		$string1114="IUSR_"
		$string1115="IWAM_"
		$string1116="ASPNET"
		$string1117="POP3"
		$string1118="Authors"
		$string1119="Admins"
		$string1120="Browsers"
		$string1121="Guests"
		$string1122="Users"
		$string1123="Developers"
		$string1124="webBrowser2"
		$string1125="IEFrame"
		$string1126="\\\\.\\pipe\\"
		$string1127="permission denied"
		$string1128="permission_denied"
		$string1129="connection_already_in_progress"
		$string1130="connection_aborted"
		$string1131="connection_refused"
		$string1132="host_unreachable"
		$string1133="already_connected"
		$string1134="network_down"
		$string1135="network_reset"
		$string1136="network_unreachable"
		$string1137="not_connected"
		$string1138="wrong_protocol_type"
		$string1139="broken pipe"
		$string1140="connection aborted"
		$string1141="connection already in progress"
		$string1142="connection refused"
		$string1143="host unreachable"
		$string1144="network down"
		$string1145="network reset"
		$string1146="network unreachable"
		$string1147="owner dead"
		$string1148="protocol error"
		$string1149="wrong protocol type"
		$string1150="EXECUTABLE"
		$string1151="master"
		$string1152="debian"
		$string1153="mysql"
		$string1154="daemon"
		$string1155="backup"
		$string1156="marta"
		$string1157="oracle"
		$string1158="redhat"
		$string1159="VNC%d.%d"
		$string1160="exploitable"
		$string1161="passwd"
		$string1162="proxypasswd"
		$string1163="proxyuser"
		$string1164="Login denied"
		$string1165="Remote file not found"
		$string1166="RenameFile"
		$string1167="RunPrompt"
		$string1168="RunSelectedAsAdmin"
		$string1169="RunSelectedHidden"
		$string1170="RunSelectedShow"
		$string1171="RemoteMachineName"
		$string1172="AheadLib"
		$string1173="PlusDLL"
		$string1174="PLUSUNIT"
		$string1175="web-browser"
		$string1176="IMAGE_DOS_HEADER"
		$string1177="IMAGE_NT_HEADERS32"
		$string1178="IMAGE_FILE_HEADER"
		$string1179="IMAGE_OPTIONAL_HEADER32"
		$string1180="IMAGE_OPTIONAL_HEADER64"
		$string1181="IMAGE_DATA_DIRECTORY"
		$string1182="IMAGE_NT_HEADERS64"
		$string1183="IMAGE_IMPORT_BY_NAME"
		$string1184="IMAGE_IMPORT_DESCRIPTOR"
		$string1185="IMAGE_THUNK_DAT"
		$string1186="IMAGE_THUNK_DATA32"
		$string1187="IMAGE_DELAY_IMPORT_DESCRIPTOR"
		$string1188="IMAGE_NT_OPTIONAL_HDR32_MAGIC"
		$string1189="IMAGE_NT_OPTIONAL_HDR64_MAGIC"
		$string1190="IMAGE_SUBSYSTEM_UNKNOWN"
		$string1191="IMAGE_SUBSYSTEM_NATIVE"
		$string1192="IMAGE_SUBSYSTEM_WINDOWS_GUI"
		$string1193="IMAGE_SUBSYSTEM_WINDOWS_CUI"
		$string1194="IMAGE_SUBSYSTEM_POSIX_CUI"
		$string1195="IMAGE_SUBSYSTEM_WINDOWS_CE_GUI"
		$string1196="IMAGE_SUBSYSTEM_EFI_APPLICATION"
		$string1197="IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER"
		$string1198="IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER"
		$string1199="IMAGE_SUBSYSTEM_EFI_ROM"
		$string1200="IMAGE_SUBSYSTEM_XBOX"
		$string1201="IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE"
		$string1202="IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY"
		$string1203="IMAGE_DLL_CHARACTERISTICS_NX_COMPAT"
		$string1204="IMAGE_DLLCHARACTERISTICS_NO_ISOLATION"
		$string1205="IMAGE_DLLCHARACTERISTICS_NO_SEH"
		$string1206="IMAGE_DLLCHARACTERISTICS_NO_BIND"
		$string1207="IMAGE_DLLCHARACTERISTICS_WDM_DRIVER"
		$string1208="IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
		$string1209="Protect"
		$string1210="PAGE_NOACCESS"
		$string1211="PAGE_READONLY"
		$string1212="PAGE_READWRITE"
		$string1213="PAGE_WRITECOPY"
		$string1214="PAGE_EXECUTE"
		$string1215="PAGE_EXECUTE_READ"
		$string1216="PAGE_EXECUTE_READWRITE"
		$string1217="PAGE_EXECUTE_WRITECOPY"
		$string1218="PAGE_GUARD"
		$string1219="PAGE_NOCACHE"
		$string1220="PAGE_WRITECOMBINE"
		$string1221="EXECUTE"
		$string1222="EXECUTE_READ"
		$string1223="EXECUTE_READWRITE"
		$string1224="EXECUTE_WRITECOPY"
		$string1225="NOACCESS"
		$string1226="READONLY"
		$string1227="READWRITE"
		$string1228="WRITECOPY"
		$string1229="MOVEFILE_REPLACE_EXISTING"
		$string1230="MOVEFILE_COPY_ALLOWED"
		$string1231="MOVEFILE_DELAY_UNTIL_REBOOT"
		$string1232="MOVEFILE_WRITE_THROUGH"
		$string1233="TokenUser"
		$string1234="TokenGroups"
		$string1235="TokenPrivileges"
		$string1236="TokenOwner"
		$string1237="TokenPrimaryGroup"
		$string1238="TokenDefaultDacl"
		$string1239="TokenSource"
		$string1240="TokenType"
		$string1241="TokenImpersonationLevel"
		$string1242="TokenStatistics"
		$string1243="TokenRestrictedSids"
		$string1244="TokenSessionId"
		$string1245="TokenGroupsAndPrivileges"
		$string1246="TokenSessionReference"
		$string1247="TokenSandBoxInert"
		$string1248="TokenAuditPolicy"
		$string1249="TokenOrigin"
		$string1250="TokenElevationType"
		$string1251="TokenLinkedToken"
		$string1252="TokenElevation"
		$string1253="TokenHasRestrictions"
		$string1254="TokenAccessInformation"
		$string1255="TokenVirtualizationAllowed"
		$string1256="TokenVirtualizationEnabled"
		$string1257="TokenIntegrityLevel"
		$string1258="TokenUIAccess"
		$string1259="TokenMandatoryPolicy"
		$string1260="TokenLogonSid"
		$string1261="TokenPrimary"
		$string1262="TokenImpersonation"
		$string1263="SecurityAnonymous"
		$string1264="SecurityIdentification"
		$string1265="SecurityImpersonation"
		$string1266="SecurityDelegation"
		$string1267="\\\\.\\PhysicalDrive0"
		$string1268="vmdebug"
		$string1269="VMware Replay Debugging Helper"
		$string1270="VMware VMCI Bus Driver"
		$string1271="vmci"
		$string1272="VMware Pointing Device"
		$string1273="vmmouse"
		$string1274="Virtual Machine Additions Mouse Integration Filter Driver"
		$string1275="msvmmouf"
		$string1276="MS Virtual SCSI Disk Device"
		$string1277="VMware Workstation v10"
		$string1278="VMwareDragDetWndClass"
		$string1279="VMwareSwitchUserControlClass"
		$string1280="VMware"
		$string1281="VMware Pointing"
		$string1282="VMware server memory"
		$string1283="VMware Replay"
		$string1284="AntiVirtualBox"
		$string1285="AntiVmWare"
		$string1286="AntiVirtualPC"
		$string1287="AntiMalwarebytes"
		$string1288="AntiOllydbg"
		$string1289="AntiWireshark"
		$string1290="antiSpyware"
		$string1291="Anti-Virus"
		$string1292="avast!"
		$string1293="AntiVir"
		$string1294="Inspection"
		$string1295="Malware"
		$string1296="Kaspersky"
		$string1297="BitDefender"
		$string1298="Dr.Web"
		$string1299="Kaspersky Antivirus"
		$string1300="Nod32 Antivirus 2.x"
		$string1301="Ewido Security Suite"
		$string1302="McAfee VirusScan"
		$string1303="Panda Antivirus/Firewall"
		$string1304="Symantec/Norton"
		$string1305="PC-cillin Antivirus"
		$string1306="F-Secure"
		$string1307="Kingsoft ShaDu"
		$string1308="NOD32 Antivirus"
		$string1309="Rising Antivirus"
		$string1310="Jiangmin Antivirus"
		$string1311="360 ShaDu"
		$string1312="360 Safe"
		$string1313="Norton Personal Firewall"
		$string1314="ZoneAlarm"
		$string1315="Comodo Firewall"
		$string1316="eTrust EZ Firewall"
		$string1317="F-Secure Internet Security"
		$string1318="McAfee Personal Firewall"
		$string1319="Outpost Personal Firewall"
		$string1320="Panda Internet Seciruty Suite"
		$string1321="Panda Anti-Virus/Firewall"
		$string1322="BitDefnder/Bull Guard Antivirus"
		$string1323="Rising Firewall"
		$string1324="360Safe AntiArp"
		$string1325="Kingsoft Safe"
		$string1326="NEWGRAB"
		$string1327="SCREENSHOT"
		$string1328=",AddressBook"
		$string1329="TrustedPeople"
		$string1330="TrustedPublisher"
		$string1331="RunProgram"
		$string1332="GUIMode"
		$string1333="@Install@"
		$string1334="@InstallEnd@"
		$string1335="protocol_not_supported"
		$string1336="network down"
		$string1337="network reset"
		$string1338="network unreachable"
		$string1339="network_down"
		$string1340="network_reset"
		$string1341="network_unreachable"
		$string1342="host unreachable"
		$string1343="host_unreachable"
		$string1344="PendingFileRenameOperations"
		$string1345="MyApplication.app"
		$string1346="Microsoft.Windows.MyCoolApp"
		$string1347="Application description here"
		$string1348="InstallHOOK"
		$string1349="InstallLocalHOOK"
		$string1350="UninstallHOOK"
		$string1351="ZLibEx"
		$string1352="PsAPI"
		$string1353="Xenocode Virtual Desktop"
		$string1354="start.spoon.net"
		$string1355="Spoon Virtual Machine"
		$string1356="Xenocode Virtual Appliance Runtime"
		$string1357="CPlApplet"
		$string1358="Java Security Plugin"
		$string1359="javaplugin"
		$string1360="Java Security Plugin"
		$string1361="Sun Java Security Plugin"
		$string1362="VMProtect begin"
		$string1363="VMProtect end"
		$string1364="[BeginChat]"
		$string1365="friend"
		$string1366="KernelUtil"
		$string1367="NETWORK SERVICE"
		$string1368="Cookies"
		$string1369="Administrative Tools"
		$string1370="WinFTP"
		$string1371="PortNumber"
		$string1372="CREATE_SUSPENDED"
		$string1373="VBScript.Encode"
		$string1374="JScript.Encode"
		$string1375="WScript"
		$string1376="ExeScriptPAD"
		$string1377="ExeScript"
		$string1378="silent"
		$string1379="ExeScript Host"
		$string1380="onbeforeunload"
		$string1381="onunload"
		$string1382="Godmode"
		$string1383="anonymous"
		$string1384="Connecting...."
		$string1385="DECOMPRESSOR"
		$string1386="antivirus"
		$string1387="AntivirusProduct"
		$string1388="DefaultBrowser"
		$string1389="MemoryProtection"
		$string1390="Manager"
		$string1391="BaseScript"
		$string1392="Updater"
		$string1393="SafeStarter"
		$string1394="CreateProcessInternal"
		$string1395="IDetourHook"
		$string1396="DetourHook"
		$string1397="root/cimv2"
		$string1398="WbemScripting.SWbemLocator"
		$string1399="ROOT\\CIMV2"
		$string1400="SELECT * from tab_online"
		$string1401="SELECT * from %s"
		$string1402="SELECT * from moz_logins"
		$string1403="SELECT * from"
		$string1404="SELECT * from"
		$string1405="SELECT * from Win32_BaseBoard"
		$string1406="SELECT * from Win32_OperatingSystem"
		$string1407="SELECT * from Win32_Processor"
		$string1408="SELECT * from Win32_TimeZone"
		$string1409="SELECT * from msft_providers"
		$string1410="SELECT * from __win32provider where Name"
		$string1411="SELECT * from msft_providers"
		$string1412="SELECT * from msft_providers where HostProcessIdentifier"
		$string1413="SELECT * from AntivirusProduct"
		$string1414="SELECT * from FirewallProduct"
		$string1415="SELECT * from Win32_ComputerSystem"
		$string1416="SELECT * from Win32_Process"
		$string1417="SELECT * from Win32_BIOS"
		$string1418="SELECT * from Win32_VideoController"
		$string1419="SELECT * from Win32_SystemEnclosure"
		$string1420="Manufacturer"
		$string1421="Model"
		$string1422="SerialNumber"
		$string1423="ChassisTypes"
		$string1424="SMBIOSAssetTag"
		$string1425="CREATE %s %.*s"
		$string1426="CREATE TABLE"
		$string1427="CREATE TABLE %Q.%s(%s)"
		$string1428="CREATE TABLE sqlite_master("
		$string1429="CREATE VIRTUAL TABLE %T"
		$string1430="CREATE%s INDEX %.*s"
		$string1431="WMessages"
		$string1432="WM_HTML_GETOBJECT"
		$string1433="WM_MOUSEMOVE"
		$string1434="WM_LBUTTONUP"
		$string1435="WM_LBUTTONDOWN"
		$string1436="WM_COPYDATA"
		$string1437="STANDARD_RIGHTS_REQUIRED"
		$string1438="STANDARD_RIGHTS_READ"
		$string1439="TOKEN_ASSIGN_PRIMARY"
		$string1440="TOKEN_DUPLICATE"
		$string1441="TOKEN_IMPERSONATE"
		$string1442="TOKEN_QUERY"
		$string1443="TOKEN_QUERY_SOURCE"
		$string1444="TOKEN_ADJUST_PRIVILEGES"
		$string1445="TOKEN_ADJUST_GROUPS"
		$string1446="TOKEN_ADJUST_DEFAULT"
		$string1447="TOKEN_ADJUST_SESSIONID"
		$string1448="TOKEN_READ"
		$string1449="TOKEN_ALL_ACCESS"
		$string1450="ERROR_INSUFFICIENT_BUFFER"
		$string1451="SECURITY_MANDATORY_UNTRUSTED_RID"
		$string1452="SECURITY_MANDATORY_LOW_RID"
		$string1453="SECURITY_MANDATORY_MEDIUM_RID"
		$string1454="SECURITY_MANDATORY_HIGH_RID"
		$string1455="SECURITY_MANDATORY_SYSTEM_RID"
		$string1456="SECURITY_MANDATORY_LABEL_AUTHORITY"
		$string1457="SE_GROUP_MANDATORY"
		$string1458="SE_GROUP_ENABLED_BY_DEFAULT"
		$string1459="SE_GROUP_ENABLED"
		$string1460="SE_GROUP_OWNER"
		$string1461="SE_GROUP_USE_FOR_DENY_ONLY"
		$string1462="SE_GROUP_INTEGRITY"
		$string1463="SE_GROUP_INTEGRITY_ENABLED"
		$string1464="SE_GROUP_LOGON_ID"
		$string1465="SE_GROUP_RESOURCE"
		$string1466="SE_GROUP_VALID_ATTRIBUTES"
		$string1467="RuntimeHelpers"
		$string1468="System.Security"
		$string1469="System.Runtime.CompilerServices"
		$string1470="System.Security.Cryptography"
		$string1471="System.Reflection"
		$string1472="System.Text.RegularExpressions"
		$string1473="System.Runtime.InteropServices"
		$string1474="System.Security.Principal"
		$string1475="System.Threading"
		$string1476="System.IO.Compression"
		$string1477="System.Net.Configuration"
		$string1478="System.Net.Sockets"
		$string1479="Microsoft.VisualBasic.CompilerServices"
		$string1480="Internet Explorer_Server"
		$string1481="vbscript"
		$string1482="javascript"
		$string1483="JavaScript"
		$string1484="execScript"
		$string1485="AutoRun"
		$string1486="HashSize"
		$string1487="Algorithm"
		$string1488="BlockSize"
		$string1489="CipherMode"
		$string1490="Twofish"
		$string1491="Wrong password"
		$string1492="Proxy-Connection:"
		$string1493="User-Agent:"
		$string1494="WWW-Authenticate:"
		$string1495="Proxy-authenticate:"
		$string1496="Content-Length:"
		$string1497="Connection:"
		$string1498="Transfer-Encoding:"
		$string1499="GOPHER"
		$string1500="Digest"
		$string1501="nonce"
		$string1502="stale"
		$string1503="realm"
		$string1504="opaque"
		$string1505="User-Agent:"
		$string1506="Referer:"
		$string1507="Range:"
		$string1508="AppData\\Local"
		$string1509="AppData\\Local\\Microsoft\\Windows\\History"
		$string1510="AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
		$string1511="AppData\\Roaming"
		$string1512="AppData\\Roaming\\Microsoft\\Windows\\Cookies"
		$string1513="AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts"
		$string1514="AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts"
		$string1515="AppData\\Roaming\\Microsoft\\Windows\\Recent"
		$string1516="AppData\\Roaming\\Microsoft\\Windows\\SendTo"
		$string1517="AppData\\Roaming\\Microsoft\\Windows\\Start Menu"
		$string1518="AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs"
		$string1519="AppData\\Roaming\\Microsoft\\Windows\\Templates"
		$string1520="Default"
		$string1521="Documents"
		$string1522="Microsoft\\Windows\\Start Menu"
		$string1523="Microsoft\\Windows\\Start Menu\\Programs"
		$string1524="Microsoft\\Windows\\Templates"
		$string1525="Music"
		$string1526="Pictures"
		$string1527="Public\\Desktop"
		$string1528="Public\\Documents"
		$string1529="Public\\Favorites"
		$string1530="Public\\Music"
		$string1531="Public\\Pictures"
		$string1532="Public\\Videos"
		$string1533="System"
		$string1534="Videos"
		$string1535="Windows NT\\Accessories"
		$string1536="Explorer\\Shell Folders"
		$string1537="TCoreThread"
		$string1538="EObserver"
		$string1539="TStream"
		$string1540="TFiler"
		$string1541="TReaderH"
		$string1542="TWriter4"
		$string1543="TComponent"
		$string1544="TFPList"
		$string1545="TList"
		$string1546="TThreadList"
		$string1547="TPersistent"
		$string1548="TCollection"
		$string1549="TStrings"
		$string1550="TStringList"
		$string1551="TOwnerStream"
		$string1552="THandleStream"
		$string1553="TFileStream"
		$string1554="TCustomMemoryStream"
		$string1555="TRegExpr"
		$string1556="ERegExpr"
		$string1557="AutoIt3ExecuteLine"
		$string1558="AutoIt3ExecuteScript"
		$string1559="AutoIt3OutputDebug"
		$string1560="AutoIt3GUI"
		$string1561="AutoIt v3"
		$string1562="AutoIt script files (*.au3, *.a3x)"
		$string1563="AutoIt"
		$string1564="AUTOIT SCRIPT"
		$string1565="AUTOIT NO CMDEXECUTE"
		$string1566="AutoIt3OutputDebug"
		$string1567="AutoIt3ExecuteScript"
		$string1568="AutoIt3ExecuteLine"
		$string1569="#NoAutoIt3Execute"
		$string1570="Software\\AutoIt v3\\AutoIt"
		$string1571="*.au3;*.a3x"
		$string1572="AutoIt Error"
		$string1573="AutoIt has detected the stack has become corrupt."
		$string1574="CompiledScript"
		$string1575="AutoIt v3 Script: 3, 3, 8, 1"
		$string1576="AutoIt v3 Script: 3, 3, 8, 0"
		$string1577="AutoIt3"
		$string1578="AUTOITPID"
		$string1579="AUTOITEXE"
		$string1580="AUTOITVERSION"
		$string1581="AUTOITSETOPTION"
		$string1582="AUTOITWINGETTITLE"
		$string1583="AUTOITWINSETTITLE"
    condition:
		any of them
}
